Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Ethics and Compliance Programs: Moving from “Good Enough” to “Great”

The U.S. Federal Sentencing Guidelines and, more recently, promulgations by the Organisation for Economic Co-operation and Development (OECD) Good Practice Guidance, have called for organizations to develop effective compliance risk mitigation programs and internal safeguards to protect against internal and external threats of corruption and fraud. Despite decades of experience in developing such practices, the results appear to remain uneven at best, which is especially concerning at a time when risks are increasing.

The stunning growth of social media, mobile technologies and big data has ushered in a new era of transparency, exposing illegal transactions and raising profound new ethical questions in the way business is conducted. Ethics and compliance executives have come a long way in developing sophisticated measures to prevent, detect and mitigate risk of malfeasance in their organizations. Meanwhile, those who wish to violate the rule of law and gain unfair advantage are using more sophisticated tactics.

“Good enough” today just is not good enough. Organizations should continuously strive for “great” in their ethics and compliance program.

What separates a “good” ethics and compliance program from a “great” one? How does an organization’s investment in compliance and reputational risk mitigation systems and processes measure up against leading practices? At a time when risks are increasing, what are the building blocks upon which to build a world-class program that not only protects an organization from internal and external threats, but also enhances its brand and strengthens its relationships with all stakeholders?

While there are a number of factors that separate the “good” from the “great,” following are five factors that are key differentiators in the highest-performing compliance programs.

Keith Darcy, Independent Senior Advisor, Deloitte & Touche LLP

Tone at the top—The starting point for any world-class ethics and compliance program is the board and senior management, and the sense of responsibility they share to protect the shareholders’ reputational and financial assets. The board and senior management should do more than pay “lip service” to ethics and compliance. The ethics and compliance culture must permeate throughout the entire organization, without exception, and should evidence itself through balanced performance metrics considered in the performance measurement of senior management. The board and senior management should empower and properly resource those individuals who have day-to-day responsibilities to mitigate risks and build organizational trust. The entire organization is accountable. Words without actions are an empty chalice.

Corporate culture—Among some of the most essential elements of a “great” program is building a culture of integrity, and that is derived from the tone at the top. Culture, by far, tends to be one of the single biggest determinants of behavior in many organizations. As a leading corporate director once said, “In the fight between culture and compliance, culture will always win.”* Culture is comprised of the underlying values, beliefs, attitudes and expectations shared by an organization, and against which decisions are made and behaviors are formed. For this reason, a culture of integrity is central to any effective ethics and compliance program. If an organization is not managing culture, you can be sure of only one thing – that culture is managing the organization. Importantly, ethics and compliance programs that do not clearly contribute to a culture of ethical and compliant behavior may be viewed as perfunctory functions instilling controls that are impediments to driving the “value change” of the enterprise. If and when that happens, they can become nothing more than roadblocks to be circumvented.

Risk assessments—The velocity of change in today’s world is accelerating, and with it an ever-changing risk landscape, with old risks remaining important and new risks appearing on the scene. Ethics and compliance risk assessments are not just about process, but also about the results and a deep understanding of the risks that an organization faces. The risk assessment focuses the board and senior management on significant risks and the highest risk concentration within the organization, and it provides the basis for honest consideration of the actions necessary to avoid, mitigate, or remediate those risks. It provides a critical tool for the allocation of scarce resources. Re-assessing these risks on a continuous basis is required in a transparent world that is constantly exposing new risks.

George Hanley, Director, Deloitte & Touche LLP

Testing and monitoring—Critical to the success of any organization’s efforts in managing risk is a robust testing and monitoring program to help assure the control environment is effective. All the policies, practices and procedures developed to manage risk are irrelevant if they are poorly understood and executed and, as a result, do not change the behavior of the organization. It begins with implementing appropriate controls, which should be tested and ultimately monitored and audited on a regular basis. In the spirit of ongoing testing and monitoring, it is also crucial to perform periodic cultural assessments and reinforce the desired behaviors while remediating the negative ones.

The chief ethics and compliance officer—The chief ethics and compliance officer has day-to-day responsibility for overseeing the management of compliance and reputational risks, and this officer is the agent for the board’s fiduciary obligations to provide oversight and accountability of such. It requires someone with an uncommon breadth of experiences who can design the necessary risk architecture, assess business and cultural risks across a variety of businesses and geographies, develop training and communication strategies, build comprehensive databases and assess data analytics, while conducting sometimes critical investigations. It requires someone who can take a balanced approach to ethics and compliance and who, by his or her nature, can build partnerships with business leaders that enhance levels of trust both internally and externally with all stakeholders. A skilled chief ethics and compliance officer can create a competitive edge for their organization. Such individuals are not always easy to find, and appropriate training and coaching can benefit both the individual and the organization.

By themselves, none of the above differentiating factors can protect organizations from ethics and compliance breaches. But, when they are part of an organization’s fabric and way of doing business, there’s a better chance of moving from “good enough” to “great” and becoming an organization that attracts the trust and admiration of employees, customers, investors, regulators and other stakeholders alike.

Related Deloitte Insights

As cyberthreats and incidents increase in frequency and complexity, the relatively nascent cyber insurance industry stands ready to grow. Despite the growth potential, however, uncertainty among both buyers and sellers about cyberinsurance seems to have created some speedbumps. Learn which factors and trends may affect buying decisions—such as identifying potential gaps in coverage—as well as how insurers are responding to the demands of a market characterized by evolving exposures.

Nearly 40% of North American CFOs participating in Deloitte’s fourth-quarter 2017 CFO Signals™ survey say their company will take above-normal risks in pursuit of higher returns, up from 25% a year ago, and 63% say now is a good time to be taking on greater risk. Sanford Cockrell III, national managing partner of Deloitte’s U.S. CFO Program, notes that CFOs’ optimism about their own companies’ prospects rebounded to the third-highest level in the survey’s history. Still, some CFOs have some concerns about constraints to their organization’s performance, including talent challenges.

As chief risk officer of American Express, Paul Fabara is remaking compliance and risk management by driving the use of technology and data analysis, including development of an early-warning system to detect potential risks. He discusses how he has worked with the business units and board to carve out a new role for compliance and risk and how the functions have ramped up to contribute to decision-making at the operational and strategic levels, with Ash Raghavan, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.

Views & Analysis

Although board seats don’t become available all that often, as more organizations broaden their definition of diversity the pool of potential candidates is expanding. What does it take to land such a spot? Industry and international experience, a knowledge of risk and technology issues, and personal traits that range from intellectual curiosity to unassailable integrity are just some of the qualities and qualifications that matter. Learn how to assess your viability and what steps you might take to enhance your appeal to search committees.

Continued uncertainty about the economy and increased regulation across several industries have required a more informed and efficient use of capital. Working with management, the board of directors can play a fundamental role in the capital allocation process through its oversight function, including participating in strategy development, examining risks, comparing strategy to results and focusing on key investment terms. Understand how boards can help guide the capital allocation process by challenging business plans and strategy, and reviewing capital allocation alternatives, among other efforts.

As proxy season approaches, several governance issues and proposals are likely to emerge, reflecting shareholders’ increased attention to how companies’ stances on governance matters can impact shareholder value, according to Carol Schumacher, who has held roles as investor relations (IR) officer and corporate affairs officer at a Fortune 10. She discusses shareholders’ expectations for the governance information that management provides, and what IR can do to help companies respond, in a conversation with Sanford Cockrell III, U.S. national managing partner, CFO Program, Deloitte LLP.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.